Quick Links

Summary

In response to the critical security vulnerability discovered in the OpenSSL cryptography software library (CVE-2014-0160), nicknamed “Heartbleed,” Cradlepoint has taken steps to incorporate the OpenSSL version 1.0.1g into its latest firmware and Enterprise Cloud Manager. If exploited, this vulnerability could allow attackers to monitor all information passed between a user and a web service or decrypt past traffic they’ve collected. More details can be found here: http://heartbleed.com.

Affected Products

Cradlepoint recommends immediately upgrading products to the latest firmware versions in order to mitigate this vulnerability. The following are affected products:

AER 2100

ARC MBR1400

MBR1400

MBR1200B

ARC CBA750B

CBA750B

COR IBR600

COR IBR650

CBR400

CBR450

MBR95

PLEASE NOTE: On WAN interfaces, routers were only exposed to risk under the following conditions:1. Remote access is enabled (setting disabled by default)2. AND remote administration access control is not enabled (setting disabled by default).

On LAN interfaces, routers were only exposed under the following conditions:

If the network allows Admin Access, which is the default for the Primary LAN. Guest LAN default settings do not allow Admin Access and are not exposed to this vulnerability. Admin Access can be checked using the Network Settings / WiFi / Local Networks tab, listed for each network in the “Access Control” section.

Product firmware prior to patch release is still affected, regardless of mitigation steps, by this bug and Cradlepoint recommends firmware upgrades for all affected products.

The AER3100, COR IBR1100, COR IBR1150, COR IBR350 and ARC CBA850 *are not* affected, as they were released after the applicable firmware update and consequently with patched firmware versions factory-loaded.

Products Not Affected

CBA750 (prior version to CBA750B)

CTR35

CBA250

CTR350

CTR500

CX111 (Juniper)

MBR90

MBR800

MBR900

MBR1000

MBR1100

MBR1200 (prior version to MBR1200B)

PHS300

PHS2000W

Rover Puck

Oldest Firmware with Heartbleed Patch

Firmware versions listed below were the first to have the heartbleed fix.

Cradlepoint Cloud Management & Mitigation

Enterprise Cloud Manager web servers were not affected, so usernames and passwords are not at risk.

WiPipe Central was not affected.

In conjunction with the release of new firmware on April 14, 2014, Cradlepoint will reissue new certificates in Enterprise Cloud Manager to invalidate private keys that could be used to decrypt data for malicious purposes. Users should upgrade firmware and follow the appropriate steps documented below.